On the Communication Complexity of Key-Agreement Protocols

Authors Iftach Haitner, Noam Mazor, Rotem Oshman, Omer Reingold, Amir Yehudayoff

Thumbnail PDF


  • Filesize: 0.5 MB
  • 16 pages

Document Identifiers

Author Details

Iftach Haitner
  • The Blavatnik school of computer science, Tel Aviv University, Israel
Noam Mazor
  • The Blavatnik school of computer science, Tel Aviv University, Israel
Rotem Oshman
  • The Blavatnik school of computer science, Tel Aviv University, Israel
Omer Reingold
  • Computer Science Department, Stanford University, USA
Amir Yehudayoff
  • Department of Mathematics, Technion-Israel Institute of Technology, Israel

Cite AsGet BibTex

Iftach Haitner, Noam Mazor, Rotem Oshman, Omer Reingold, and Amir Yehudayoff. On the Communication Complexity of Key-Agreement Protocols. In 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Leibniz International Proceedings in Informatics (LIPIcs), Volume 124, pp. 40:1-40:16, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)


Key-agreement protocols whose security is proven in the random oracle model are an important alternative to protocols based on public-key cryptography. In the random oracle model, the parties and the eavesdropper have access to a shared random function (an "oracle"), but the parties are limited in the number of queries they can make to the oracle. The random oracle serves as an abstraction for black-box access to a symmetric cryptographic primitive, such as a collision resistant hash. Unfortunately, as shown by Impagliazzo and Rudich [STOC '89] and Barak and Mahmoody [Crypto '09], such protocols can only guarantee limited secrecy: the key of any l-query protocol can be revealed by an O(l^2)-query adversary. This quadratic gap between the query complexity of the honest parties and the eavesdropper matches the gap obtained by the Merkle's Puzzles protocol of Merkle [CACM '78]. In this work we tackle a new aspect of key-agreement protocols in the random oracle model: their communication complexity. In Merkle's Puzzles, to obtain secrecy against an eavesdropper that makes roughly l^2 queries, the honest parties need to exchange Omega(l) bits. We show that for protocols with certain natural properties, ones that Merkle's Puzzle has, such high communication is unavoidable. Specifically, this is the case if the honest parties' queries are uniformly random, or alternatively if the protocol uses non-adaptive queries and has only two rounds. Our proof for the first setting uses a novel reduction from the set-disjointness problem in two-party communication complexity. For the second setting we prove the lower bound directly, using information-theoretic arguments. Understanding the communication complexity of protocols whose security is proven (in the random-oracle model) is an important question in the study of practical protocols. Our results and proof techniques are a first step in this direction.

Subject Classification

ACM Subject Classification
  • Theory of computation → Cryptographic protocols
  • key agreement
  • random oracle
  • communication complexity
  • Merkle's puzzles


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Miklós Ajtai and Cynthia Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the twenty-ninth annual ACM symposium on Theory of computing, pages 284-293. ACM, 1997. Google Scholar
  2. B. Barak and M. Mahmoody. Merkle Puzzles Are Optimal - An O( n^2)-Query Attack on Any Key Exchange from a Random Oracle. In Advances in Cryptology - CRYPTO '09, pages 374-390, 2009. Google Scholar
  3. Daniel J Bernstein and Tanja Lange. eBACS: ECRYPT benchmarking of cryptographic systems. https://bench.cr.yp.to, accessed 15 May 2018.
  4. Benny Chor and Eyal Kushilevitz. A zero-one law for boolean privacy. SIAM Journal on Discrete Mathematics, 4(1):36-47, 1991. Google Scholar
  5. Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6):644-654, 1976. Google Scholar
  6. Anat Ganor, Gillat Kol, and Ran Raz. Exponential separation of information and communication for boolean functions. In Proceedings of the forty-seventh annual ACM symposium on Theory of computing, pages 557-566. ACM, 2015. Google Scholar
  7. Iftach Haitner, Jonathan J. Hoch, Omer Reingold, and Gil Segev. Finding Collisions in Interactive Protocols - Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments. SIAM Journal on Computing, 44(1):193-242, 2015. Preliminary version in STOC'07. Google Scholar
  8. Iftach Haitner, Noam Mazor, Rotem Oshman, Omer Reingold, and Amir Yehudayoff. On the Communication Complexity of Key-Agreement Protocols. In Electronic Colloquium on Computational Complexity (ECCC), volume 25, page 31, 2018. Google Scholar
  9. Iftach Haitner, Eran Omri, and Hila Zarosim. Limits on the usefulness of random oracles. Journal of Cryptology, 29(2):283-335, 2016. Google Scholar
  10. Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), pages 44-61. ACM Press, 1989. Google Scholar
  11. Mohammad Mahmoody, Hemanta K Maji, and Manoj Prabhakaran. Limits of random oracles in secure computation. arXiv preprint, 2012. URL: http://arxiv.org/abs/1205.3554.
  12. Robert J McEliece. A public-key cryptosystem based on algebraic. Coding Thv, 4244:114-116, 1978. Google Scholar
  13. Ralph C. Merkle. Secure Communications over Insecure Channels. In SIMMONS: Secure Communications and Asymmetric Cryptosystems, 1982. Google Scholar
  14. Michael O Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical report, Massachusetts Inst of Tech Cambridge Lab for Computer Science, 1979. Google Scholar
  15. Anup Rao and Makrand Sinha. Simplified Separation of Information and Communication. In Electronic Colloquium on Computational Complexity (ECCC), volume 22 (57), pages 2-3, 2015. Google Scholar
  16. Alexander A. Razborov. On the distributional complexity of disjointness. Theoretical Computer Science, 106(2):385-390, 1992. Google Scholar
  17. Ronald L. Rivest, Adi Shamir, and Leonard M. Adelman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120-126, 1978. Google Scholar